summaryrefslogtreecommitdiffstats
path: root/src/include
Commit message (Collapse)AuthorAgeFilesLines
...
* Add GIC option for password/account expiration callbackGreg Hudson2010-08-122-0/+46
| | | | | | | | | | | | Add a new GIC option to specify a callback to receive password and account expiration times found in an AS reply. See also: http://k5wiki.kerberos.org/wiki/Projects/Password_expiration_API ticket: 6755 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24241 dc483132-0cff-0310-8789-dd5450dbe970
* Revert the part of r24157 which added the dal_version argument to theGreg Hudson2010-07-211-5/+4
| | | | | | | | | | | init_library interface. Instead use the already existing maj_ver field of the DAL vtable to detect incompatibilities. Since maj_ver is a short int, use an incrementing number instead of a date for the major version. ticket: 6749 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24200 dc483132-0cff-0310-8789-dd5450dbe970
* In the DAL documentation, describe how a module can supply referralGreg Hudson2010-07-191-1/+4
| | | | | | encrypted padata. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24190 dc483132-0cff-0310-8789-dd5450dbe970
* Add check_allowed_to_delegate to the DAL with a corresponding libkdb5Greg Hudson2010-07-151-31/+17
| | | | | | | | | API, replacing the last method (CHECK_ALLOWED_TO_DELEGATE) of db_invoke. Remove db_invoke since it no longer has any methods. ticket: 6749 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24189 dc483132-0cff-0310-8789-dd5450dbe970
* Addendum to r24182: Fix a comment referencing the db_invokeGreg Hudson2010-07-151-4/+2
| | | | | | | | | SIGN_DB_AUTHDATA method. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24188 dc483132-0cff-0310-8789-dd5450dbe970
* Add refresh_config to the DAL with a corresponding libkdb5 API,Greg Hudson2010-07-151-6/+9
| | | | | | | | | replacing the REFRESH_POLICY method of db_invoke. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24187 dc483132-0cff-0310-8789-dd5450dbe970
* Addendum to r24185: make audit_as_req return void, since it's anGreg Hudson2010-07-131-13/+7
| | | | | | | | | | informational method and we're not going to do anything with the result. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24186 dc483132-0cff-0310-8789-dd5450dbe970
* Add audit_as_req to the DAL with a corresponding libkdb5 API,Greg Hudson2010-07-131-28/+21
| | | | | | | | | | | | replacing the AUDIT_AS_REQ method of db_invoke. Remove the AUDIT_TGS_REQ method of db_invoke without adding a replacement, as there was no KDC support for it. (It can be added at a later time if necessary.) ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24185 dc483132-0cff-0310-8789-dd5450dbe970
* Add check_policy_as and check_policy_tgs to the DAL table withGreg Hudson2010-07-131-43/+49
| | | | | | | | | | corresponding libkdb5 APIs, replacing the CHECK_POLICY_AS and CHECK_POLICY_TGS methods of db_invoke. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24184 dc483132-0cff-0310-8789-dd5450dbe970
* Add check_transited_realms to the DAL table with a correspondingGreg Hudson2010-07-121-14/+15
| | | | | | | | | libkdb5 API, replacing the CHECK_TRANSITED_REALMS method of db_invoke. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24183 dc483132-0cff-0310-8789-dd5450dbe970
* Add sign_authdata to the DAL table with a corresponding libkdb5 API,Greg Hudson2010-07-121-32/+77
| | | | | | | | | replacing the SIGN_AUTH_DATA method of db_invoke. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24182 dc483132-0cff-0310-8789-dd5450dbe970
* Create a KRB5_KDB_FLAG_ALIAS_OK to control whether plugin modulesGreg Hudson2010-07-081-10/+14
| | | | | | | | | | | should return in-realm aliases. Set it where appropriate, and use it in the LDAP module instead of intuiting the result based on other flags. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24178 dc483132-0cff-0310-8789-dd5450dbe970
* Remove count parameters from get_principal, put_principal,Greg Hudson2010-07-062-55/+26
| | | | | | | | | | | free_principal, delete_principal, and get_policy. Make get_principal allocate the DB entry container. Fold krb5_db_get_principal_ext into krb5_db_get_principal. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24175 dc483132-0cff-0310-8789-dd5450dbe970
* Make the APIs for iterate, get_master_key_list, set_master_key_list,Greg Hudson2010-07-031-24/+10
| | | | | | | | | | and promote_db return KRB5_PLUGIN_OP_NOTSUPP if the KDB module does not implement them, avoiding the need for stub default implementations. ticket: 6749 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24171 dc483132-0cff-0310-8789-dd5450dbe970
* Use KRB5_PLUGIN_OP_NOTSUPP uniformly as the error code for operationsGreg Hudson2010-07-031-9/+7
| | | | | | | | | | not supported by a KDB module. (Previously KRB5_KDB_DBTYPE_NOSUP was used in some cases and KRB5_PLUGIN_OP_NOTSUPP in others.) ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24170 dc483132-0cff-0310-8789-dd5450dbe970
* Remove store_master_key from the DAL table, and implementGreg Hudson2010-07-021-21/+0
| | | | | | | | | krb5_store_master_key in terms of krb5_store_master_key_list. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24168 dc483132-0cff-0310-8789-dd5450dbe970
* Make krb5_db_free_principal and krb5_db_free_mkey_list return void.Greg Hudson2010-07-021-8/+5
| | | | | | | | | Remove the stale prototype for krb5_db_free_master_key. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24167 dc483132-0cff-0310-8789-dd5450dbe970
* Remove verify_master_key from the DAL table, as well as its associatedGreg Hudson2010-07-021-26/+6
| | | | | | | | | | | libkdb5 interface. Callers can (and mostly already do) use krb5_fetch_mkey_list to verify master keyblocks. Adjust tests/create, tests/verify, and kdb5_util dump to do so. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24166 dc483132-0cff-0310-8789-dd5450dbe970
* Remove db_ and similar prefixes from DAL function names, forGreg Hudson2010-07-021-58/+57
| | | | | | | | | | consistency. Follow suit inside the DB2 and LDAP modules. (No change to the caller-facing libkdb5 APIs.) ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24165 dc483132-0cff-0310-8789-dd5450dbe970
* Rename krb5_dbekd_encrypt_key_data and krb5_dbekd_decrypt_key_data toGreg Hudson2010-07-021-37/+22
| | | | | | | | | just use the krb5_dbe prefix. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24164 dc483132-0cff-0310-8789-dd5450dbe970
* Remove setup_master_key_name from the DAL table as it was not usedGreg Hudson2010-07-021-6/+0
| | | | | | | ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24163 dc483132-0cff-0310-8789-dd5450dbe970
* Remove the set_master_key and get_master_key DAL interfaces and theirGreg Hudson2010-07-021-34/+0
| | | | | | | | | | | | corresponding libkdb5 APIs, as they were not productively used. In kdb5_ldap_util, stop using the realm data's mkey field as a container to communicate the master key to static helper functions, since the field no longer exists. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24162 dc483132-0cff-0310-8789-dd5450dbe970
* Remove errcode_2_string and release_errcode_string from the DAL table,Greg Hudson2010-07-021-15/+0
| | | | | | | | | | and stop using them in kdb5.c. Modules can simply set error messages in the krb5 context on error. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24159 dc483132-0cff-0310-8789-dd5450dbe970
* Remove db_supported_realms and db_free_supported_realms from the DALGreg Hudson2010-07-021-16/+1
| | | | | | | | | | table, and remove the corresponding libkdb5 interfaces (which don't seem to have been in the library export table). ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24158 dc483132-0cff-0310-8789-dd5450dbe970
* DAL improvementsGreg Hudson2010-07-021-1/+12
| | | | | | | | | | | | | | | | | | | Add KRB5_KDB_API_VERSION to allow callers to adjust to incompatible changes in libkdb; to be kept in sync with the libkdb major version, which is bumped to 5 in anticipation of other changes. Add KRB5_KDB_DAL_VERSION to allow database modules to detect when they are mismatched with the KDB version. Since KDB modules are often developed concurrently with trunk code, this is defined to be the date of the last incompatible DAL change. The DAL version is passed to the init_library DAL function; the module should check it against the value of KRB5_KDB_DAL_VERSION it was compiled with and return KRB5_KDB_DBTYPE_MISMATCH if it doesn't match. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24157 dc483132-0cff-0310-8789-dd5450dbe970
* Remove some unused (as of yet) trace macro definitionsGreg Hudson2010-06-101-10/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24125 dc483132-0cff-0310-8789-dd5450dbe970
* Trace loggingGreg Hudson2010-06-074-1/+397
| | | | | | | | | | | | | | | | Add trace logging infrastructure code, enabled by the KRB5_TRACE environment variable or the API functions krb5_set_trace_callback() or krb5_set_trace_filename(). As a start, add tracing events for: * AS-REQ client code, including FAST and preauth * TGS-REQ client code * AP-REQ and AP-REP code (client and server) * sendto_kdc * Selected ccache operations * Selected keytab operations ticket: 6737 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24118 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_enctype_to_name() APIGreg Hudson2010-06-041-0/+2
| | | | | | | | | | Add an API to return the input name, or optionally the shortest alias, of an enctype. Similar to krb5_enctype_to_string() which returns a description. ticket: 6736 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24117 dc483132-0cff-0310-8789-dd5450dbe970
* Reimplement krb5_get_in_tkt_with_skey in terms of krb5_get_init_creds,Greg Hudson2010-05-122-28/+0
| | | | | | | | | | | | | | similar to how the password and keytab equivalents were done. Eliminate krb5_get_in_tkt. It's been very hard to use since we made krb5_kdc_rep_decrypt_proc private (in krb5 1.7 the prototype was taken out of krb5.h altogether), and it's unlikely that anything would have used it directly in the first place. Remove and/or simplify a lot of code depended on by krb_get_in_tkt, including all of preauth.c. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24012 dc483132-0cff-0310-8789-dd5450dbe970
* Add lockout-related performance tuning variablesGreg Hudson2010-05-101-0/+2
| | | | | | | | | | | | | | | The account lockout feature of krb5 1.8 came at a cost in database accesses for principals requiring preauth, even if lockout is not used. Add dbmodules variables disable_last_success and disable_lockout for the DB2 and LDAP back ends, allowing the admin to recover the lost performance at the cost of new functionality. (Unrelated documentation fix: document database_name as a DB2-specific dbmodules variable instead of the realm variable it used to be.) ticket: 6719 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24003 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate the unused realm_dbname field from krb5_realm_paramsGreg Hudson2010-05-041-1/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23968 dc483132-0cff-0310-8789-dd5450dbe970
* Remove krb5_db_set_option and the associated DAL entry. It was notGreg Hudson2010-05-041-17/+0
| | | | | | used. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23965 dc483132-0cff-0310-8789-dd5450dbe970
* Correct the DAL documentation for db_createGreg Hudson2010-05-031-3/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23964 dc483132-0cff-0310-8789-dd5450dbe970
* Add IAKERB mechanism and gss_acquire_cred_with_passwordGreg Hudson2010-04-302-0/+29
| | | | | | | | | | | | | | Merge branches/iakerb to trunk. Includes the following: * New IAKERB mechanism. * New gss_acquire_cred_with_password mechglue function. * ASN.1 encoders and decoders for IAKERB structures (with tests). * New shortcuts in gss-sample client and server. * Tests to exercise SPNEGO and IAKERB using gss-sample application. ticket: 6712 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23960 dc483132-0cff-0310-8789-dd5450dbe970
* Add KRB5_INIT_CREDS_STEP_FLAG_CONTINUE for parity with Heimdal.Greg Hudson2010-04-201-4/+6
| | | | | | | | Rename KRB5_TKT_CREDS_CONTINUE to KRB5_TKT_CREDS_STEP_FLAG_CONTINUE for consistency. Adjust init_creds context to be less confusing in light of the above. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23906 dc483132-0cff-0310-8789-dd5450dbe970
* Introduce new krb5_tkt_creds APIGreg Hudson2010-04-142-9/+96
| | | | | | | | | | | | Merged from branches/iakerb: add new asynchronous krb5_tkt_creds APIs, which allow a caller to take responsibility for transporting requests to the KDC and getting responses back. Rewrite the existing krb5_get_credentials API in terms of the new functions. Get rid of krb5_get_cred_from_kdc and friends, since they are no longer used. ticket: 6700 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23900 dc483132-0cff-0310-8789-dd5450dbe970
* Add krb5_cc_dup() to make it possible to copy ccache handlesGreg Hudson2010-04-081-0/+7
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23874 dc483132-0cff-0310-8789-dd5450dbe970
* krb5_typed_data not castable to krb5_pa_data on 64-bit MacOSXTom Yu2010-03-232-11/+13
| | | | | | | | | | | | | Move krb5_typed_data to krb5.hin from k5-int-pkinit.h because krb5int_fast_process_error was assuming that it was safe to cast it to krb5_pa_data. It's not safe to do the cast on 64-bit MacOSX because krb5.hin uses #pragma pack on that platform. ticket: 6689 target_version: 1.8.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23829 dc483132-0cff-0310-8789-dd5450dbe970
* Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512Greg Hudson2010-03-201-1/+1
| | | | | | | | | | | | | | | | | | | | KRB5_AUTHDATA_SIGNTICKET, originally a Heimdal authorization data type, was used to implement PAC-less constrained delegation in krb5 1.8. Unfortunately, it was found that Microsoft was using 142 for other purposes, which could result in a ticket issued by an MIT or Heimdal KDC being rejected by a Windows Server 2008 R2 application server. Because KRB5_AUTHDATA_SIGNTICKET is only used to communicate among a realm's KDCs, it is relatively easy to change the number, so MIT and Heimdal are both migrating to a new number. This change will cause a transitional interoperability issue when a realm mixes MIT krb5 1.8 (or Heimdal 1.3.1) KDCs with MIT krb5 1.8.1 (or Heimdal 1.3.2) KDCs, but only for constrained delegation evidence tickets. ticket: 6687 target_version: 1.8.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23821 dc483132-0cff-0310-8789-dd5450dbe970
* UntabifyKen Raeburn2010-03-181-6/+6
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23817 dc483132-0cff-0310-8789-dd5450dbe970
* Copyright noticeKen Raeburn2010-03-181-1/+29
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23816 dc483132-0cff-0310-8789-dd5450dbe970
* Merge users/raeburn/branches/network-mergeKen Raeburn2010-03-171-0/+50
| | | | | | | | | | Re-integrates the forked versions of network.c in kdc and kadmin/server. Server-specific initialization and SIGHUP-reset code is moved into other source files; the more generic network-servicing code is merged and moved into apputils library already used by both programs. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23811 dc483132-0cff-0310-8789-dd5450dbe970
* Use KRB5_CONF_ macros instead of strings in the source file for profile ↵Zhanna Tsitkov2010-03-101-3/+5
| | | | | | config attributes "default" and "logging" git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23798 dc483132-0cff-0310-8789-dd5450dbe970
* Remove vestigial include/spnego-asn1.hGreg Hudson2010-03-101-90/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23796 dc483132-0cff-0310-8789-dd5450dbe970
* Use bswap16 and bswap32 on NetBSDKen Raeburn2010-02-201-2/+14
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23741 dc483132-0cff-0310-8789-dd5450dbe970
* Correct the DAL documentation ofGreg Hudson2010-02-011-5/+9
| | | | | | | KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE; proxy is the target service, not the delegating service. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23680 dc483132-0cff-0310-8789-dd5450dbe970
* Correct the DAL documentation for how modules should handle referralsGreg Hudson2010-01-291-17/+29
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23678 dc483132-0cff-0310-8789-dd5450dbe970
* Handle migration from pre-1.7 databases with master key kvno != 1Greg Hudson2010-01-281-0/+8
| | | | | | | | | | | | | | | | | | | | krb5_dbe_lookup_mkvno assumes an mkvno of 1 for entries with no explicit tl_data. We've seen at least one pre-1.7 KDB with a master kvno of 0, violating this assumption. Fix this as follows: * krb5_dbe_lookup_mkvno outputs 0 instead of 1 if no tl_data exists. * A new function krb5_dbe_get_mkvno translates this 0 value to the minimum version number in the mkey_list. (krb5_dbe_lookup_mkvno cannot do this as it doesn't take the mkey_list as a parameter.) * Call sites to krb5_dbe_lookup_mkvno are converted to krb5_dbe_get_mkvno, except for an LDAP case where it is acceptable to store 0 if the mkvno is unknown. ticket: 6650 target_version: 1.7.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23676 dc483132-0cff-0310-8789-dd5450dbe970
* Get rid of kdb_ext.h and allow out-of-tree KDB pluginsGreg Hudson2010-01-272-169/+133
| | | | | | | | | | | | | Move the contents of kdb_ext.h into kdb.h, since there is no meaningful "extensions" category of DB interfaces now that this stuff is in our tree. Allows out-of-tree KDB plugins to be built since we install kdb.h. ticket: 6649 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23674 dc483132-0cff-0310-8789-dd5450dbe970
* In the DAL comments, document KRB5_KDB_INCLUDE_PAC, and correct theGreg Hudson2010-01-251-7/+14
| | | | | | | documentation of the S4U flags to indicate that they affect PAC generation. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23667 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-27 11:14:18 +0000